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Abstract 


In  recent  years,  collaborative  and  group-oriented  applications  and  protocols  are 
gaining  popularity.  These  applications  typically  involve  communication  over  open  net¬ 
works,  security  thus  is  naturally  an  important  requirement.  Group  key  management  is 
one  of  the  basic  building  blocks  in  securing  group  communication.  Most  prior  research 
in  group  key  management  focused  on  minimizing  computation  overhead,  in  particular 
minimizing  expensive  cryptographic  operations.  However,  the  continued  advances  in 
computing  power  have  not  been  matched  by  a  decrease  in  network  communication 
delay.  Thus,  communication  latency,  especially  in  high-delay  long-haul  networks,  is 
increasingly  dominating  the  key  setup  latency,  replacing  computation  delay  as  the 
main  latency  contributor.  Hence,  there  is  a  need  to  minimize  the  size  of  messages  and 
especially  the  number  of  rounds  in  cryptographic  protocols. 

Since  most  previously  proposed  group  key  management  techniques  optimize  com¬ 
putational  (cryptographic)  overhead,  they  are  particularly  impacted  by  high  commu¬ 
nication  delay.  In  this  work,  we  discuss  and  analyze  a  specific  group  key  agreement 
technique  which  supports  dynamic  group  membership  and  handles  network  failures, 
such  as  group  partitions  and  merges.  This  technique  is  very  communication-efficient 
and  provably  secure  against  hostile  eavesdroppers  as  well  as  various  other  attacks 
specific  to  group  settings.  Furthermore,  it  is  simple,  fault-tolerant  and  well-suited  for 
high-delay  networks. 

Index  Terms 

security,  group  key  agreement,  group  communication,  communication  complexity,  cryptographic 
protocols 
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I.  Introduction 


Secure  group  communication  is  an  increasingly  popular  research  area  having  received  much 
attention  in  recent  years.  Since  most  group  communication  takes  place  over  the  wide-open 
expanse  of  the  Internet,  security  is  a  major  concern.  The  fundamental  security  challenge  revolves 
around  secure  and  efficient  group  key  management.  Centralized  key  management  methods  (key 
distribution)  are  appropriate  for  2-party  (e.g.,  client-server  or  peer-to-peer)  communication  as  well 
as  for  large  multicast  groups.  However,  many  collaborative  group  settings  (e.g.,  conferencing, 
white-boards,  shared  instruments,  and  command-and-control  systems)  require  distributed  key 
management  techniques. 

The  majority  of  research  in  group  key  agreement  (one  way  of  implementing  distributed 
group  key  management)  was  mainly  concerned  with  increasing  the  security  while  minimizing 
cryptographic  computation  cost.  It  has  been  long  held  as  an  incontrovertible  fact  that  heavy¬ 
weight  computation  —  such  as  large  number  arithmetic  that  forms  the  basis  of  many  modern 
cryptographic  algorithms  —  is  the  greatest  burden  imposed  by  security  protocols.  However, 
the  continuing  increase  in  computation  power  of  modern  workstations  speed  up  the  heavy¬ 
weight  cryptographic  operations.  For  example,  4  years  ago,  a  top-of-the-line  RISC  workstation 
performed  a  512-bit  modular  exponentiation  in  around  24  ms.  Four  years  later,  a  850  MHz 
Pentium  III  PC  (priced  at  1  / 5-th  of  the  old  RISC  workstation)  performs  the  same  operation  in 
under  1  ms. 

In  contrast,  communication  latency  has  not  improved  appreciably.  Network  devices  and  com¬ 
munication  lines  have  become  significantly  faster  and  cheaper.  The  communication  (especially 
via  the  Internet)  has  become  both  accessible  and  affordable  which  resulted  in  drastic  increase 
in  the  demand  for  network  bandwidth.  While  computation  power  and  bandwidth  are  increasing, 
network  delay  has  the  lower  bound  dictated  by  the  speed  of  light. 

Consequently,  the  half-around-the-world  packet  round  trip  delay  is  likely  to  remain  constant 
(at  least  for  terrestrial  communication).  In  addition,  inter-planetary  networking  is  not  too  far 
off  in  the  future.  Consider,  for  instance,  the  communication  delay  with  a  Mars  Rover  or  other 
space  exploration  devices.  More  concretely,  collaborative  work  groups  where  the  members  are 
dispersed  across  continents,  will  expect  considerable  communication  latency  and  would  thus 
benefit  from  protocols  that  minimize  communication  rounds.  Similarly,  group  teleconferences 
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are  becoming  increasingly  popular. 

The  bottleneck  shift  from  computation  to  communication  latency  prompts  us  to  look  at 
cryptographic  protocols  in  a  different  light:  allowing  more  liberal  use  of  cryptographic  operations 
while  attempting  to  reduce  the  communication  overhead.  The  latter  includes  both  round  and 
message  complexity.  Communication  overhead  is  especially  relevant  in  a  peer  group  setting 
since  group  members  can  be  spread  throughout  a  large  network,  e.g.,  the  global  Internet. 

We  consider  a  protocol  first  proposed  by  Steer  et  al.  in  1988  [27].  It  is  one  of  the  first  group 
key  agreement  protocols.  This  protocol  extends  the  2-party  Diffie-Hellman  key  exchange  and 
supposes  the  formation  of  a  secure  static  group.  This  protocol  —  referred  to  as  STR  (short  for 
Skinny  TRee)  hereafter  —  involves  heavy  computation  and  communication  requirements:  0{n) 
communication  rounds  and  0(n)  cryptographic  operations  are  necessary  to  establish  a  shared 
key  in  a  group  of  n  members.  We  extend  it  to  deal  with  dynamic  groups  and  network  failures 
in  a  communication-efficient  manner.  Concretely,  we  construct  an  entire  group  key  management 
protocol  suite  that  is  particularly  efficient  in  a  WAN  environment  where  network  delay  is  high. 

The  remainder  of  this  paper  is  organized  as  follows.  Section  II  explains  our  assumptions 
and  requirements  for  the  reliable  group  communication  system  over  wide  area  network,  and 
cryptographic  requirements  of  group  key  agreement  schemes.  Notations  used  in  the  rest  of 
this  paper  are  introduced  in  Section  III  and  the  actual  protocol  suite  is  described  in  Section  IV. 
Section  V  considers  the  security,  complexity,  and  implementation  issues,  and  performance  of  STR 
is  discussed  in  Section  VI.  The  summary  of  related  work  appears  in  Section  VII  and  conclusions 
are  appeared  in  Section  VIII.  Security  argument  of  the  proposed  protocols  are  provided  in 
Appendix  . 

II.  Reliable  Group  Communication  and  Group  Key  Agreement 

In  this  section,  we  set  the  stage  for  the  rest  of  the  paper  with  a  brief  overview  of  the  notable 
features  of  reliable  group  communication  and  group  key  agreement. 

As  noted  earlier,  many  current  collaborative  and  distributed  applications  require  a  reliable 
group  communication  platform.  In  addition,  many  group  communication  applications  require 
security  services  which  are  built  atop  secure  group  key  management.  This  dependency  is  mutual 
since  practical  group  key  agreement  protocols  themselves  rely  on  the  underlying  group  communi¬ 
cation  semantics  for  protocol  message  transport  and  strong  membership  semantics.  Implementing 
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multi-party  and  multi-round  cryptographic  protocols  without  such  support  is  foolhardy  as,  in  the 
end,  one  winds  up  reinventing  reliable  group  communication  tools. 

A.  Reliable  Group  Communication  Semantics 

Many  modern  collaborative  and  distributed  applications  require  a  reliable  group  communi¬ 
cation  platform.  Current  reliable  group  communication  toolkits  generally  provide  one  (or  both) 
of  two  strong  group  communication  semantics:  Extended  Virtual  Synchrony  (EVS)  [22]  and 
View  Synchrony  (VS)  [15].  Both  semantics  guarantee  that:  1)  group  members  see  the  same  set 
of  messages  between  two  sequential  group  membership  events,  and,  2)  the  sender’s  requested 
message  order  (e.g.,  FIFO,  Causal,  or  Total)  is  preserved.  VS  offers  a  stricter  guarantee  than 
EVS:  Messages  are  delivered  to  all  recipients  in  the  same  membership  as  viewed  by  the  sender 
application  when  it  originally  sent  the  message.  In  the  context  of  this  paper  we  require  the 
underlying  group  communication  to  provide  VS.  However,  we  stress  that  VS  is  needed  for  the 
sake  of  fault-tolerance  and  robustness;  the  security  of  our  protocols  is  in  no  way  affected  by 
the  lack  of  VS.  More  details  on  the  interaction  of  key  agreement  protocols  and  reliable  group 
communication  are  addressed  in  [1], 

B.  Communication  Delay 

Due  to  the  reliable  group  communication  platform,  network  delay  is  amplified  by  the  necessary 
acknowledgments  between  the  group  members.  The  speed  of  light  puts  a  lower  bound  on  the 
minimum  network  delay.  For  example,  a  laser  pulse  that  travels  through  a  fiber  optic  cable  takes 
k,  10  ms  to  travel  from  New  York  to  San  Francisco,  «  21  ms  from  Paris  to  San  Francisco,  and 
«  40  ms  from  Fondon  to  Sydney.  In  practice,  networks  today  are  about  3  to  4  times  slower  than 
the  lower  bound. 

To  put  this  into  perspective,  an  850MHz  Pentium  III  PC  performs  a  single  512-bit  modular 
exponentiation  (one  of  the  most  expensive,  but  most  basic  public  key  primitives)  in  under  1  ms. 
Moreover,  the  speed  of  computers  continue  to  increase.  Comparing  this  with  the  WAN  network 
delay,  it  is  clear  that  reducing  the  number  of  communication  rounds  is  much  more  important 
in  the  long  run  for  an  efficient  group  key  agreement  scheme  than  reducing  the  computation 
overhead. 
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C.  Group  Key  Agreement 

A  comprehensive  group  key  agreement  solution  must  handle  adjustments  to  group  secrets 
subsequent  to  all  membership  change  operations  in  the  underlying  group  communication  system. 
The  following  membership  changes  are  considered:  We  distinguish  among  single  and  multiple 
member  operations.  We  also  distinguish  between  additive  and  subtractive  member  operations. 
Single  member  changes  include  member  join  or  leave,  and  multiple  member  changes  include 
group  merge  and  group  partition. 

•  Join  occurs  when  a  prospective  member  wants  to  join  a  group 

•  Leave  occurs  when  a  member  wants  to  leave  (or  is  forced  to  leave)  a  group.  There  might 
be  different  reasons  for  member  deletion  such  as  voluntary  leave,  involuntary  disconnect 
or  forced  expulsion.  We  believe  that  group  key  agreement  must  only  provide  the  tools  to 
adjust  the  group  secrets  and  leave  the  rest  up  to  the  local  security  policy. 

•  Partition  occurs  when  a  group  is  split  into  smaller  groups.  A  group  partition  can  take  place 
for  several  reasons,  two  of  which  are  fairly  common: 

1)  Network  failure  -  this  occurs  when  a  network  event  causes  disconnectivity  within  the 
group.  Consequently,  a  group  is  split  into  fragments  some  of  which  are  singletons 
while  others  (those  that  maintain  mutual  connectivity)  are  sub-groups. 

2)  Explicit  (application-driven)  partition  -  this  occurs  when  the  application  decides  to 
split  the  group  into  multiple  components  or  simply  exclude  multiple  members  at  once. 

.  Merge  occurs  when  two  or  more  groups  merge  to  form  a  single  group  (a  group  merge  may 
be  voluntary  or  involuntary): 

1)  Network  fault  heal  -  this  occurs  when  a  network  event  causes  previously  disconnected 
network  partitions  to  reconnect.  Consequently,  groups  on  all  sides  (and  there  might 
be  more  than  two  sides)  of  an  erstwhile  partition  are  merged  into  a  single  group. 

2)  Explicit  (application-driven)  merge  -  this  occurs  when  the  application  decides  to  merge 
multiple  pre-existing  groups  into  a  single  group.  (The  case  of  simultaneous  multiple- 
member  addition  is  not  covered.) 

At  first  glance,  events  such  as  network  partitions  and  fault  heals  might  appear  infrequent  and 
dealing  with  them  might  seem  to  be  a  purely  academic  exercise.  In  practice,  however,  such 
events  are  common  owing  to  network  misconfigurations  and  router  failures.  Moser  et  al.  present 


7 


compelling  arguments  in  support  of  these  claims  [22].  Hence,  dealing  with  group  partitions  and 
merges  is  a  crucial  component  of  group  key  agreement. 

In  addition  to  the  aforementioned  membership  operations,  periodic  refreshes  of  group  secrets 
are  advisable  so  as  to  limit  the  amount  of  ciphertext  generated  with  the  same  key  and  to  recover 
from  potential  compromises  of  members’  contributions  or  prior  session  keys. 

D.  Cryptographic  Properties 

In  this  section  we  summarize  the  desired  properties  for  a  secure  group  key  agreement  protocol. 
Following  the  model  of  [18],  we  define  four  such  properties: 

Definition  1: 

•  Group  Key  Secrecy  guarantees  that  it  is  computationally  infeasible  for  a  passive  adversary 
to  discover  any  group  key. 

•  Forward  Secrecy  (Not  to  be  confused  with  Perfect  Forward  Secrecy  or  PFS)  guarantees 
that  a  passive  adversary  who  knows  a  contiguous  subset  of  old  group  keys  cannot  discover 
subsequent  group  keys. 

.  Backward  Secrecy  guarantees  that  a  passive  adversary  who  knows  a  contiguous  subset  of 
group  keys  cannot  discover  preceding  group  keys. 

.  Key  Independence  guarantees  that  a  passive  adversary  who  knows  any  proper  subset  of 
group  keys  cannot  discover  any  other  group  key  not  included  in  the  subset. 

The  relationship  among  the  properties  is  intuitive.  Backward  and  Forward  Secrecy  properties 
(often  called  Forward  and  Backward  Secrecy  in  the  literature)  assume  that  the  adversary  is 
a  current  or  a  former  group  member.  The  other  properties  additionally  include  the  cases  of 
inadvertently  leaked  or  otherwise  compromised  group  keys. 

Our  definition  of  group  key  secrecy  allows  partial  leakage  of  information.  Therefore,  it  would 
be  more  desirable  to  guarantee  that  any  bit  of  the  group  key  is  unpredictable.  For  this  reason,  we 
prove  a  decisional  version  of  group  key  secrecy  in  Section  .  In  other  words,  decisional  version 
of  group  key  secrecy  guarantees  that  it  is  computationally  infeasible  for  a  passive  adversary  to 
distinguish  any  group  key  from  random  number. 

Other,  more  subtle,  active  attacks  aim  to  introduce  a  known  (to  the  attacker)  or  old  key.  These 
are  prevented  by  the  combined  use  of:  sender  information,  timestamps,  unique  protocol  message 
identifiers  and  sequence  numbers  which  identify  the  particular  protocol  run. 
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All  protocol  messages  include  the  following  attributes: 

.  sender  information:  name  of  the  sender,  or,  equivalently,  signer. 

.  group  information:  unique  name  of  the  group. 

.  membership  information:  names  (and  other  information)  of  current  group  members. 

•  protocol  identifier:  protocol  being  used  (fixed  as  “STR”). 

•  message  type:  unique  message  identifier  for  each  protocol  message. 

•  key  epoch:  strictly  increasing  counter.  Whenever  a  new  membership  event  occurs,  each 
member  increments  key  epoch.  If  two  groups  G\  and  G2  merge,  the  resulting  epoch  is: 
epochnew  =  max(epochGll  epochG2)  +  1.  Key  epoch  is  the  same  across  all  current  group 
members.  If  a  group  member  receives  a  protocol  message  with  a  smaller  than  current  epoch, 
it  terminates  the  protocol  (suspected  replay). 

.  time  stamp:  current  time.  Loose  time  synchronization  among  group  members  is  assumed. 

We  assume  that  a  group  member  rejects  any  message  which  does  not  match  its  expectations. 
Since  all  messages  are  signed,  we  also  assume  PKI  for  all  protocol  parties.  Since  no  other  long¬ 
term  secrets  or  keys  are  used,  we  are  not  concerned  with  Perfect  Forward  Secrecy  (PFS)  as  it 
is  achieved  trivially. 

In  this  paper,  we  do  not  assume  key  authentication  to  be  part  of  group  key  management. 
All  communication  channels  are  thus  considered  public  but  authentic.  The  latter  means  that  all 
messages  are  digitally  signed  by  the  sender  with  some  sufficiently  strong  public  key  signature 
method  such  as  DS A  or  RS A  (and  using  a  long-term  private  key). 1  All  receivers  are  required  to 
verify  signatures  on  all  received  messages  and  check  the  aforementioned  fields.  Consequently, 
our  security  model  is  different  from  some  recent  related  work  [9],  [10]  that  does  not  assume 
authentic  channels. 


III.  Notation 

We  use  the  following  notation  throughout  the  rest  of  this  paper: 


'Furthermore,  as  discussed  above,  all  protocol  messages  are  assumed  to  contain:  1)  sender/group  information,  2)  a  prototol 
identifi  er  (i.e.,  STR  here)  to  distinguish  among  multiple  protocols,  3)  a  unique  message  identifi  er  to  distinguish  among  messages 
within  a  protocol,  and  4)  a  key  epoch  identifi  er  to  capture  the  instance  of  the  protocol. 
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n,N 

i,j 

Mi 


n 


bn 

kj 

bkj 

P 

a 

N<j| 

I N  <i) 
LN<*> 

T(i) 

BT(i) 


number  of  protocol  parties  (group  members) 

group  member  indices:  i,j  £ 

i-th  group  member;  i  £  {1, . . . ,  N} 

M^s  session  random  (secret  key  of  leaf  node  Mi) 

M^s  blinded  session  random,  i.e.  ari  mod  p 

secret  key  shared  among  Mi...Mj 

blinded  kj,  i.e.  akj  modp 

large  prime  number 

exponentiation  base 

key-tree  node  j 

Internal  key-tree  node  at  level  l 
Leaf  node  associated  with  member  Mi 
key-tree  of  member  Mi 

key-tree  of  member  Mi  including  all  of  its  blinded  keys 


Fig.  1  shows  an  example  of  an  STR  key  tree.  The  tree  has  two  types  of  nodes:  leaf  and  internal. 
Each  leaf  node  is  associated  with  a  specific  group  member.  An  internal  node  IN(*)  always  has 
two  children:  another  (lower)  internal  node  and  a  leaf  node  LN,yr  The  exception  is  IN(i) 

which  is  also  a  leaf  node  corresponding  to  Mi.  (Note  that,  consequently,  ri  =  k\.) 

Each  leaf  node  LN^  has  a  session  random  rt  chosen  and  kept  secret  by  Mt.  The  blinded 
version  thereof  is  =  ari  modp.  Every  internal  node  IN,^,  has  an  associated  secret  key  kj 
and  a  public  blinded  key  (bkey)  bkj  =  okj  mod  p.  The  secret  key  ki  (i  >  1)  is  the  result  of  a 
Diffie-Hellman  key  agreement  between  the  node’s  two  children  ik\  is  an  exception  and  is  equal 
to  r*.),  which  is  computed  recursively  as  follows: 


ki  =  (bki- i)ri  modp  =  modp  =  anki~1  modp  if  i  >  1. 


Fig.  1.  Notation  for  STR 
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The  group  key  in  Fig.  1  is  the  key  associated  with  the  root  node:  /c4  =  c/4"''"" 

We  note  that  the  root  (group)  key  is  never  used  directly  for  the  purposes  of  encryption, 
authentication  or  integrity.  Instead,  such  special-purpose  sub-keys  are  derived  from  the  root  key, 
e.g.,  by  applying  a  cryptographically  secure  hash  function  to  the  root  key.  All  bkeys  bki  are 
assumed  to  be  public. 

The  basic  key  agreement  protocol  is  as  follows.  We  assume  that  all  members  know  the  structure 
of  the  key  tree  and  their  initial  position  within  the  tree.  (There  are  many  ways  to  order  members 
unambiguously.)  Furthermore,  each  member  knows  its  session  random  and  the  blinded  session 
randoms  of  all  other  members.  The  two  members  M\  and  M2  can  first  compute  the  group  key 
corresponding  to  ll\l<2).  Mi  computes: 

k2  =  (br2)ri  mod  p  =  arir2  mod  p,  bk2  =  ak2  mod  p 

k3  =  ( br3)k 2  mod  p,  bk3  =  aks  mod  p 

kN  =  ( brN)kN~ 1  modp 

Next,  Mi  broadcasts  all  bkeys  bki  with  1  <  i  <  N  —  1.  Armed  with  this  message,  every 
member  then  computes  kj y  as  follows.  (As  mentioned  above,  members  Mi  and  M2  derive  the 
group  key  without  additional  broadcasts.)  Any  M*  (with  i  >  2)  knows  its  session  random  r,  and 
bki- 1  from  the  broadcast  message.  Hence,  it  can  derive  fcj  =  bk,  ir'1  mod  p.  It  can  then  compute 
all  remaining  keys  recursively  up  to  the  group  key  from  the  public  blinded  session  randoms: 
ki  =  bri ki_1  mod  p  (i  <  N ). 

Following  every  membership  change,  all  members  independently  update  the  key  tree.  Since  we 
assume  that  the  underlying  group  communication  system  provides  view  synchrony  (see  Section  II- 
A),  all  members  who  correctly  execute  the  protocol  recompute  an  identical  key  tree  after  any 
membership  event.  The  following  proposition  describes  the  minimal  requirement  for  a  group 
member  to  compute  the  group  key: 

Proposition  1:  If  all  members  know  the  blinded  session  randoms  of  all  other  members,  at 
least  two  members  can  compute  the  group  key. 

This  follows  directly  from  the  recursive  definition  of  the  group  key.  In  other  words,  both  Mi 
and  M2  (the  members  at  the  lowest  leaf  nodes)  can  obtain  the  group  key  by  computing  pairwise 
keys  recursively  and  using  blinded  session  randoms  of  other  members. 
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Proposition  2:  Any  member  can  compute  the  group  key,  if  it  knows:  1)  its  own  secret  share, 
2)  the  bkey  of  its  sibling  subtree,  and,  3)  blinded  session  randoms  of  members  higher  in  the 
tree. 

Proof:  This  also  follows  from  the  definition  of  the  group  key.  To  compute  the  group  key, 
member  A'f  needs  1)  r*,  2)  bk^i,  and  3)  6r*+i,  6r*+ 2, . . . ,  brjq-  ■ 

The  protocols  described  below  benefit  from  a  special  role  (called  sponsor)  assigned  to  a  certain 
group  member  following  each  membership  change.  A  sponsor  reduces  communication  overhead 
by  performing  “housekeeping”  tasks  that  vary  depending  on  the  type  of  membership  change. 
The  criteria  for  selecting  a  sponsor  are  described  below. 

IV.  STR  Protocols 

We  now  describe  the  protocols  that  make  up  the  STR  key  management  suite:  join,  leave, 
merge,  and  partition.  All  protocols  share  a  common  framework  with  the  following  features: 

•  Each  group  member  contributes  an  equal  share  to  the  group  key;  this  share  is  kept  secret 
by  each  group  member. 

•  The  group  key  is  computed  as  a  function  of  all  current  group  members’  shares. 

.  As  the  group  grows,  new  members’  shares  are  factored  into  the  group  key  while  the 
remaining  members’  shares  (except  for  sponsor  who  changes  its  session  random  to  provide 
key  independence)  stay  unchanged. 

.  As  the  group  shrinks,  departing  members’  shares  are  removed  from  the  new  group  key  and 
at  least  one  remaining  member  changes  its  share. 

.  All  protocol  messages  are  signed  by  the  sender,  i.e.,  we  assume  an  authenticated  broadcast 
channel. 

•  In  a  join  or  a  merge,  sponsor  is  associated  with  the  topmost  leaf  node  of  each  key  tree. 

.  In  a  leave  or  a  partition,  sponsor  is  located  immediately  below  the  deepest  leaving  node. 

A.  Join 

We  assume  the  group  has  n  users  {M\, . . . ,  Mn},  when  the  group  communication  system 
announces  the  arrival  of  a  new  member.  Both  the  new  member  and  the  prior  group  members 
receive  this  notification  simultaneously.  The  new  member  Mn+ 1  broadcasts  a  join  request  message 
that  contains  its  own  bkey  bkn+ 1  (which  is  the  same  as  its  blinded  session  random  brn+\).  Upon 
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Step  1:  The  new  member  broadcasts  request  for  join 

M„+1  brn+1=ar"+l  ^  c  =  {Mi, . . Mn} 

Step  2:  Every  member 

•  updates  key  tree  by  adding  new  member  node  and  new  root  node, 

•  removes  bkn. 

The  sponsor  Mn  additionally 

•  generates  new  share  r„  and  computes  brn,kn,bkn 

•  broadcasts  updated  tree  BT(n\ 

C  U  {Mn+i}  =  {M±, . . . ,  Mn+i}  (  BTW  Mn 

Step  3:  Every  member  computes  the  group  key  using  BT ^ 


Fig.  2.  JOIN  Protocol 


receiving  this  message,  the  current  group’s  sponsor  Mn  refreshes  its  session  random,  computes 
brni  kni  bkn  and  sends  the  current  tree  BT^  to  Mn+ 1  with  all  bkeys. 

Next,  each  member  Mi  increments  n  =  n  +  1  and  creates  a  new  root  key  node  IN/,,,;  with 
two  children:  the  root  node  I N <>,  [ ,  of  the  prior  tree  Tt  on  the  left  and  the  new  leaf  node  LN/n) 
corresponding  to  the  new  member  on  the  right.  Note  that  every  member  can  compute  the  group 
key  (see  Proposition  2)  since: 

•  All  existing  members  only  need  the  new  member’s  blinded  session  random. 

•  The  new  member  needs  the  blinded  group  key  of  the  prior  group. 

In  a  join  operation,  the  sponsor  is  always  the  topmost  leaf  node,  i.e.,  the  most  recent  member 
in  the  current  group.  Fig.  3  shows  an  example  of  a  new  member  M5  joining  a  group.  To  provide 
forward  secrecy,  the  sponsor  M4  updates  its  session  random  r 4. 

As  described,  JOIN  takes  two  communication  rounds  and  five  cryptographic  operations  to 
compute  the  new  group  key  (four  by  the  sponsor  and  two  by  everyone  else.)  As  will  be  discussed 
in  Section  V-A.2,  the  JOIN  protocol  provides  backward  secrecy. 
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New  Member 


Fig.  3.  Tree  update  in  JOIN 


B.  Leave 

We  again  have  a  group  of  n  members  when  a  member  Md  [d  <  n)  leaves  the  group.  If  d  >  1, 
the  sponsor  Ms  is  the  leaf  node  directly  below  the  leaving  member,  i.e.,  Md  4.  Otherwise,  the 
sponsor  is  M2.  Upon  hearing  about  the  leave  event  from  the  group  communication  system,  each 
remaining  member  updates  its  key  tree  by  deleting  the  nodes  LN^)  corresponding  to  Md  and  its 
parent  node  IN^.  The  nodes  above  the  leaving  node  are  also  renumbered.  The  former  sibling 
IN(d_i)  of  Md  is  promoted  to  replace  (former)  Md  s  parent.  The  sponsor  Ms  selects  a  new  secret 
session  random,  computes  all  keys  (and  bkeys)  just  below  the  root  node,  and  broadcasts  BT ^ 
to  the  group.  This  information  allows  all  members  (including  the  sponsor)  to  recompute  the  new 
group  key.  Fig.  4  describes  the  leave  protocol  in  detail. 

Fig.  5  shows  that  if  member  M4  leaves  the  group,  other  members  delete  the  leaving  node  along 
with  its  parent.  Then,  the  sponsor  M3  picks  its  new  session  random  r3,  computes  br3l  k3l  bk3 , 
and  broadcasts  the  updated  tree  BT (4).  Upon  receiving  the  broadcast,  all  members  (including 
M3)  compute  the  group  key  A;4.  Note  that  M4  cannot  compute  the  group  key  (even  though  it 
knows  all  bkeys)  since  its  session  random  is  no  longer  part  thereof.2 

The  LEAVE  protocol  takes  one  communication  round  and  involves  a  single  broadcast.  The 
cryptographic  cost  varies  depending  upon  two  factors:  1)  the  position  of  the  departed  member, 
and  2)  the  position  of  the  remaining  member  needing  to  compute  the  new  key. 

The  total  number  of  serial  cryptographic  operations  in  the  leave  protocol  can  be  expressed  as 

2rs  and  brs  are  renumbered,  and  are  denoted  as  rd  and  brd ,  respectively. 
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Step  1:  Every  member 

•  updates  key  tree  as  described  above, 

•  removes  all  keys  and  bkeys  from  the  sponsor  node  to  the  root  node 
The  sponsor  Ms  additionally 

•  generates  new  share  and  computes  all  (keys,  bkeys) 

•  and  broadcasts  updated  tree  BT ^ 

C  -  {.!/,,}  ,  B1 M  Ms 

Step  2:  Every  member  computes  the  group  key  using  BT ^ 


Fig.  4.  LEAVE  Protocol 


Fig.  5.  Tree  update  in  LEAVE 

(assuming  n  is  the  original  group  size): 

•  2  (n  —  d)  +  1  +  (n  —  d)  +  1  =  3n  —  3d  +  2  when  d  >  2 

•  3n  —  7  when  d  =  1,2 

In  the  worst  case,  Mi,  M2  or  M3  leaves  the  group.  The  cost  for  this  leave  operation  is  equal  to 
3 n  —  7.  The  expected  leave  cost  is  3(n/2)  +2. 

The  LEAVE  protocol  provides  forward  secrecy  since  a  former  member  cannot  compute  the 
new  key  owing  to  the  sponsor’s  changing  the  session  random.  The  protocol  also  provides  key 
independence  since  knowledge  of  the  new  key  cannot  be  used  to  derive  the  previous  keys;  this 
is,  again,  due  to  the  sponsor  refreshing  its  session  random.  For  details  of  key  independence,  see 
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Section  V-A.2. 


C.  Partition 

A  network  fault  (or  severe  congestion)  can  cause  a  partition  of  the  group.  To  the  remaining 
members,  this  actually  appears  as  a  concurrent  leave  of  multiple  members.  With  a  minor  modi¬ 
fication,  the  LEAVE  protocol  can  handle  multiple  leaving  members  in  a  single  round.  The  only 
difference  is  in  sponsor  selection.  In  case  of  a  partition,  the  sponsor  is  the  leaf  node  directly 
below  the  lowest-numbered  leaving  member.  (If  M\  is  the  lowest-numbered  leaving  member, 
the  sponsor  is  the  lowest-numbered  surviving  member.) 

After  deleting  all  leaving  nodes,  the  sponsor  Ms  refreshes  its  session  random  (key  share), 
computes  keys  and  bkeys  going  up  the  tree  -  as  in  the  plain  leave  protocol  -  terminating  with 
the  computation  of  akn~l  mod  p.  It  then  broadcasts  the  updated  key  tree  BT^  containing  only 
blinded  values.  Each  member  (including  Ms)  can  now  compute  the  group  key. 


Fig.  6.  Tree  update  in  PARTITION 

Fig.  6  shows  an  example  where  the  sponsor  deletes  all  nodes  of  leaving  members  and  computes 
all  necessary  keys  and  bkeys  in  the  first  round.  In  this  example,  M\  is  the  sponsor  since  M2  left 
the  group.  After  picking  a  new  session  random  r\  the  sponsor  computes  fc2  and  ak'2  mod  p,  and 
broadcasts  the  whole  tree.  Upon  receiving  this  message,  every  member  can  compute  the  new 
group  key  k:> .  Note  that  session  randoms  and  blinded  session  randoms  are  renumbered  as  in  the 
leave  protocol. 

The  computation  and  communication  complexity  of  this  protocol  is  identical  to  that  of  the 
leave  protocol.  The  same  holds  for  its  security  properties. 
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D.  Merge 

We  now  describe  the  merge  protocol.  We  assume  that,  as  in  the  join  case,  the  communication 
system  simultaneously  notifies  all  group  members  (in  all  groups)  about  the  merge  event.  More¬ 
over,  reliable  group  communication  toolkits  typically  include  a  list  of  all  members  that  are  about 
to  merge  in  the  merge  notification.  More  specifically,  we  require  that  each  member  be  able  to 
distinguish  the  group  it  was  in  from  the  group  that  it  is  merging  with.  This  assumption  is  not 
unreasonable,  e.g.,  it  is  satisfied  in  SPREAD  [1], 

It  is  natural  to  graft  the  smaller  tree  atop  the  larger  tree.  If  any  two  trees  are  of  the  same 
height,  we  can  use  any  unambiguous  ordering  to  decide  which  group  joins  which.  (For  example, 
lexicographical  order  of  the  identifiers  of  the  respective  sponsors.)  When  merging  two  trees,  the 
lowest-numbered  leaf  of  the  smaller  tree  becomes  the  right  child  of  a  new  intermediate  node. 
The  left  child  of  the  new  intermediate  node  becomes  the  root  of  the  larger  tree. 

Using  this  technique  recursively,  we  can  merge  multiple  trees,  k- ary  merge  protocol  is  shown 
in  Fig.  7. 


Step  1:  Each  sponsor  MSi  in  TSi  for  i  €  [1,  fc] 

•  broadcasts  tree  BT^S.^ 

MSi  BJ <*«>  )  Uf=1  Ct 

Step  2:  Every  member 

•  updates  key  tree  by  merging  all  trees, 

•  removes  all  keys  and  bkeys  from  the  sponsor  node, 

The  sponsor  Ms  (additionally) 

•  generates  new  share  rs  and  computes  brs, 

•  computes  all  keys  and  bkeys  from  its  parent  to  the  node  just  below  root, 

•  broadcasts  updated  tree  BT ^ 

UfU  Ci  {  m Ms 

Step  3:  Every  member  computes  the  group  key  using  BT ^ 


Fig.  7.  MERGE  Protocol 
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In  the  first  round  of  the  merge  protocol,  all  sponsors  (members  associated  with  topmost  leaf 
node  in  each  tree)  exchange  their  respective  key  trees  containing  all  blinded  session  randoms.3 
The  highest-numbered  member  of  the  largest  tree  becomes  the  sponsor  of  the  second  round  in 
the  merge  protocol.  After  refreshing  its  session  random,  this  sponsor  computes  every  (key,  bkey) 
pair  up  to  the  intermediate  node  just  below  the  root  node  using  the  blinded  session  randoms  of 
the  other  group  members.  It  then  broadcasts  the  key  tree  with  the  bkeys  and  blinded  session 
randoms  to  the  other  members.  All  members  now  have  the  complete  set  of  bkeys,  which  allows 
them  to  compute  the  new  group  key. 


Fig.  8.  Tree  update  in  MERGE 


Fig.  8  shows  an  example  of  merging  two  trees.  After  the  merge  notification,  the  sponsors  M4 
and  M7  broadcast  their  key  trees  containing  all  blinded  session  randoms.  Upon  receiving  these 
broadcast  messages,  every  member  in  both  groups  reconstructs  the  key  tree.  The  smaller  tree 
with  three  members  is  placed  on  top  of  large  tree  with  four  members.  Every  member  generates 
a  new  intermediate  node  IN (5)  and  makes  it  the  parent  of  the  old  root  node  IN/4)  of  the  larger 
tree  and  the  previous  leftmost  leaf  node  LN.^.  Both  intermediate  nodes  IN/, ,  and  IN,2)  of  the 
previous  smaller  tree  then  need  to  be  renumbered  as  IN(6)  and  IN (7),  respectively.  The  new 
intermediate  node  I N ;;5\  also  becomes  the  child  of  the  previous  lowest  intermediate  node  IN/fii. 


'Bkeys  do  not  need  to  be  exchanged  this  time. 
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Using  the  previous  blinded  group  key  at  IN (4)  of  the  larger  group  and  blinded  session  random 
br$  and  br$,  the  sponsor  in  the  second  round,  M4,  computes  all  intermediate  keys  and  bkeys 
(A;4,  bk4:1  k5l  bk5l  ka,  bke )  except  the  root  node.  Finally,  it  broadcasts  BT^  that  contains  all  bkeys 
and  blinded  session  randoms  up  to  IN,'6, .  4  Upon  receipt  of  the  broadcast,  every  member  can 
compute  the  group  key. 

In  summary,  the  merge  protocol  runs  in  two  communication  rounds. 

V.  Discussion 

We  now  discuss  security,  efficiency  and  other  practical  issues  related  to  STR  key  management. 
A.  Security 

As  discussed  earlier  in  the  paper,  the  main  security  requirements  of  group  key  agreement  are: 
group  key  secrecy,  forward/backward  secrecy,  and  key  independence.  In  this  section,  we  prove 
that  STR  provides  those  four  security  requirements. 

1 )  Group  Key  Secrecy:  Before  considering  group  key  secrecy,  we  briefly  examine  key  fresh¬ 
ness.  Every  group  key  is  fresh,  since  at  least  one  member  in  the  group  generates  a  new  random 
key  share  for  every  membership  change.5  The  probability  that  new  group  key  is  the  same  as  any 
old  group  key  is  negligible  due  to  bijectiveness  of  (/  o  g)  function. 

We  note  that  the  root  (group)  key  is  never  used  directly  for  the  purposes  of  encryption, 
authentication  or  integrity.  Instead,  special-purpose  sub-keys  are  derived  from  the  this  key, 
e.g.,  by  applying  a  cryptographically  secure  hash  function,  i.e.  H(group  key )  is  used  for  such 
applications. 

As  discussed  in  Section  II-D,  decisional  group  key  secrecy  is  more  meaningful  if  sub-keys  are 
derived  from  a  group  key.  Decisional  group  key  secrecy  of  STR  protocol  is  related  to  imbalanced 
tree  decision  Diffie-Hellman  assumption  mentioned  in  Section  B.  This  assumption  ensures  that 
there  is  no  information  leakage  other  than  public  bkey  information. 

We  can  also  derive  the  sub-keys  based  on  the  Shoup’s  hedge  technique  [26]  as  follows: 
Compute  the  key  as:  H(group  key )  ©  'H ( group  key )  where  Si  is  a  random  oracle. 

4In  fact,  it  need  not  broadcast  unchanged  bkeys,  {6/01,6/02,6/03}. 

’Recall  that  insider  attacks  are  not  our  concern.  This  excludes  the  case  when  an  insider  intentionally  generates  non-random 
numbers. 
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It  follows  that,  in  addition  to  the  security  in  the  standard  model  based  on  imbalanced  Tree 
Decision  Diffie-Hellman  assumption,  the  derived  key  is  also  secure  in  the  random  oracle  model 
[6]  based  on  the  imbalanced  Tree  Computational  Diffie-Hellman  assumption. 

2)  Key  Independence:  We  now  give  an  informal  proof  that  STR  satisfies  forward  and  backward 
secrecy,  or  equivalently  key  independence.  In  order  to  show  that  STR  provides  key  independence, 
we  only  need  to  show  that  the  former  (prospective)  member’s  view  of  the  current  tree  is 
exactly  the  same  as  the  passive  adversary’s  view.  This  is  because  the  advantage  of  the  former 
(prospective)  member  is  the  same  as  the  passive  adversary,  and  the  view  of  the  passive  adversary 
does  not  reveal  any  information  about  the  group  key  by  Theorem  3. 

We  first  consider  backward  secrecy,  which  states  that  a  new  member  who  knows  the  current 
group  key  cannot  derive  any  previous  group  keys.  Let  Mn+ 1  be  the  new  member.  The  sponsor 
for  the  join  event  changes  its  session  random  and,  consequently,  root  key  of  the  current  key  tree 
is  changed.  Therefore,  the  view  of  Mn+ i  with  respect  to  the  prior  key  trees  is  exactly  the  same 
as  the  view  of  an  outsider.  Hence,  the  new  member  does  not  gain  any  advantage  compared  to  a 
passive  adversary. 

This  argument  can  be  easily  extended  to  a  merge  of  two  or  more  groups.  When  a  merge 
happens,  the  sponsor  at  the  top  leaf  node  of  the  largest  tree  changes  its  session  random.  Therefore, 
each  member’s  view  on  other  member’s  tree  is  exactly  the  same  as  the  view  of  a  passive  adversary. 
This  shows  that  the  newly  merged  member  has  exactly  the  same  advantage  about  any  of  the  old 
key  tree  as  a  passive  adversary. 

Now  we  consider  forward  secrecy,  meaning  that  a  passive  adversary  who  knows  a  contiguous 
subset  of  old  group  keys  cannot  discover  subsequent  group  keys.  Here,  we  consider  partition  and 
leave  at  the  same  time.  Suppose  Md  is  a  former  group  member  who  left  the  group.  Whenever 
subtractive  event  happens,  the  sponsor  located  immediately  below  the  deepest  leaving  leaf  node 
refreshes  its  session  random,  and,  therefore,  all  keys  known  to  leaving  members  will  be  changed 
accordingly.  Therefore,  Md  s  view  is  exactly  the  same  as  the  view  of  the  passive  adversary. 

This  proves  that  STR  provides  decisional  version  of  key  independence. 

3)  Other  Security  Properties:  As  discussed  in  Section  II-D,  all  protocol  messages  consist 
of  sender  information,  group  information,  membership  information,  message  type,  key  epoch, 
and  time  stamp.  We  also  assumed  that  receiver  rejects  any  message  that  does  not  match  its 
expectation  and  all  channels  are  authentic  (i.e.  all  messages  are  signed).  Therefore,  we  claim 
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that  STR  provides  implicit  key  authentication. 

Furthermore,  the  independence  of  the  session  key  from  any  long-term  keys  guarantees  PFS. 
Finally,  the  loss  of  a  group  key  does  not  endanger  any  other  session.  Therefore,  STR  is  secure 
against  a  known  key  attack. 

B.  Practical  Considerations 

1)  Protocol  Unification:  Although  described  separately  in  Section  IV,  the  four  STR  operations 
(join,  leave,  merge  and  partition)  actually  represent  different  strands  of  a  single  protocol.  We 
justify  this  claim  with  an  informal  argument  below. 

Obviously,  join  and  leave  are  special  cases  of  merge  and  partition,  respectively.  We  observed 
that  merge  and  partition  can  be  collapsed  into  a  single  protocol,  since,  in  either  case,  the  key 
tree  changes  and  the  remaining  group  members  lack  some  number  of  bkeys  that  prevents  them 
from  computing  the  new  root  key.  In  a  partition,  the  remaining  members  (in  any  surviving  group 
fragment)  reconstruct  the  tree  where  some  bkeys  are  missing.  In  case  of  a  merge,  let  us  suppose 
that  k  groups  (Tree  Tj  through  T*)  are  merging.  After  the  first  round  of  the  merge  protocol,  all 
members  reconstruct  the  new  tree  unambiguously  and  independently  where  all  bkeys  from  the 
sponsor  node  up  to  the  root  node  are  missing  similar  to  the  partition  protocol.  The  sponsor  in 
merge  is  located  at  the  topmost  leaf  node  of  the  highest  key  tree.  As  discussed  in  Sections  IV-D 
and  IV-C,  every  member  reconstructs  the  key  tree  after  a  partition  and  a  merge  in  one  and  two 
rounds,  respectively. 

From  these  outlines  of  the  merge  and  partition  protocol,  we  can  find  some  similarities: 

•  Whenever  new  membership  event  happens,  all  current  group  members  first  reconstruct  the 
key  tree. 

.  The  resulting  key  tree  has  missing  bkeys  from  the  parent  node  of  the  sponsor  to  the  root 
node  as  well  as  the  sponsor’s  blinded  session  random. 

•  The  sponsor  generates  new  session  random  and  computes  all  keys  and  bkeys  from  its  parent 
node  up  to  the  node  just  below  the  root  node.  It  then  broadcasts  the  whole  key  tree  containing 
only  bkeys  and  blinded  session  randoms. 

•  Using  the  broadcast  message,  any  member  can  compute  the  group  key. 

This  apparent  similarity  between  partition  and  merge  allows  us  to  combine  the  protocols  stem¬ 
ming  from  all  membership  events  into  a  single,  unified  protocol.  Fig.  9  shows  the  pseudocode. 
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The  incentive  for  this  is  threefold.  First,  unification  allows  us  to  simplify  the  implementation  and 
minimize  its  size.  Second,  the  overall  security  and  correctness  are  easier  to  demonstrate  with  a 
single  protocol.  Third,  we  can  now  claim  that  (with  a  slight  modification)  the  STR  protocol  is 
self-stabilizing  and  fault-tolerant  as  discussed  below. 


1  receive  msg  (msg  type  =  membership  event) 

2  construct  new  tree 

3  while  there  are  missing  bkeys 

4  if  ((I  can  compute  any  missing  keys  and  I  am  the  sponsor)  | | 

5  (sponsor  computed  a  key) ) 

6  while ( 1 ) 

7  compute  missing  (key,  bkey)  pairs 

8  if  (I  cannot  compute) 

9  break 

10  endif 

11  if  (others  need  my  information) 

12  broadcast  new  bkeys 

13  endif 

14  endif 

15  endwhile 


Fig.  9.  Unifi  ed  protocol  pseudocode 


2)  Cascaded  Events:  Since  network  disruptions  are  random  and  unpredictable,  it  is  natural 
to  consider  the  possibility  of  so-called  cascaded  membership  events.  (In  fact,  cascaded  events 
and  their  impact  on  group  protocols  are  often  considered  in  group  communication  literature,  but, 
alas,  not  often  enough  in  the  security  literature.)  A  cascaded  event  occurs,  in  its  simplest  form, 
when  one  membership  change  occurs  while  another  is  being  handled.  Event  here  means  any  of: 
join,  leave,  partition,  merge  or  a  combination  thereof.  For  example,  a  partition  can  occur  while 
a  prior  partition  is  being  dealt  with,  resulting  in  a  cascade  of  size  two.  In  principle,  cascaded 
events  of  arbitrary  size  can  occur  if  the  underlying  network  is  highly  volatile. 

As  discussed  before,  STR  protocol  requires  at  most  two  rounds.  One  might  wonder  why 
robustness  against  cascaded  failure  is  important  for  only  a  2-round  protocol.  We  give  couple  of 
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examples  that  illustrate  (potential)  failure  of  the  STR  protocol. 

•  Suppose  a  network  partition  breaks  a  group  Q  into  groups  Q\  and  Q2-  The  sponsor  MSl 
needs  to  compute  missing  keys  and  bkeys.  While  computing  these  keys,  another  partition 
breaks  Q\  into  two  other  groups  Q\  (containing  Mgf)  and  Q\.  Based  on  the  partition  protocol 
description,  the  members  in  group  Q\  still  wait  for  the  message  from  MSl  to  process  the 
previous  partition. 

.  Suppose  a  merge  event  happens  whereby  groups  Qx  and  Q>  to  form  a  single  group  Q.  The 
sponsors  MSl  and  Mg2  in  each  group  broadcast  their  tree  information.  In  the  next  round, 
while  a  sponsor  computes  the  missing  bkeys,  a  member  Mi  originally  in  group  Q\  leaves 
the  group.  If  the  leaving  member  is  the  sponsor,  the  STR  protocol  cannot  proceed  for  every 
other  member  is  waiting  for  the  message  from  this  member. 

The  protocols  described  above  cannot  cope  with  these  situations.  However,  we  can  modify 
the  protocol  in  Fig.  9  to  handle  such  cascaded  events. 

We  claim  that  the  STR  protocol  is  self-stabilizing,  i.e.,  robust  against  cascaded  network  events. 
This  is  quite  rare  as  most  multi-round  cryptographic  protocols  are  not  geared  towards  handling  of 
such  events.  In  general,  self-stabilization  is  a  very  desirable  feature  since  lack  thereof  requires 
extensive  and  complicated  protocol  ’’coating”  to  either  1)  shield  the  protocol  from  cascaded 
events,  or  2)  harden  it  sufficiently  to  make  the  protocol  robust  with  respect  to  cascaded  events 
(essentially,  by  making  it  re-entrant). 

The  high-level  pseudocode  for  the  self- stabilizing  protocol  is  shown  in  Fig.  10.  The  changes 
from  Fig.  9  are  minimal  (lines  15  -  18  are  added). 

VI.  Performance  Anaysis  and  Communication  Efficiency 
A.  Performance  Comparison 

We  analyze  both  communication  and  computation  costs  for  join,  leave,  merge  and  partition 
protocols.  In  doing  so,  we  focus  on  the  number  of:  rounds,  messages,  and  serial  exponentiations. 
We  distinguish  among  serial  and  total  measures.  The  serial  measure  assumes  parallelization 
within  each  protocol  round  and  represents  the  greatest  cost  incurred  by  any  participant  in  a 
given  round.  The  total  measure  is  the  sum  of  all  participants’  costs  in  a  given  round. 

We  compare  STR  protocols  to  TGDH  that  has  been  known  to  be  most  efficient  in  both 
communication  and  computation.  For  detailed  comparison  with  other  group  key  agreement 
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1  receive  msg  (msg  type  =  membership  event) 

2  construct  new  tree 

3  while  there  are  missing  bkeys 

4  if  ((I  can  compute  any  missing  keys  and  I  am  the  sponsor)  | | 

5  (sponsor  computed  a  key) ) 

6  while ( 1 ) 

7  compute  missing  (key,  bkey)  pairs 

8  if  (I  cannot  compute) 

9  break 

10  endif 

11  if  (others  need  my  information) 

12  broadcast  new  bkeys 

13  endif 

14  endif 

15  receive  msg 

16  if  (msg  type  =  membership  event) 

17  construct  new  tree 

18  endif 

19  endwhile 


Fig.  10.  Self-stabilizing  protocol  pseudocode 


protocols  such  as  GDH.3  [28],  BD  (Burmester-Desmedt)  [11]  can  be  found  at  [2]. 

Table  I  summarizes  the  communication  and  computation  costs  of  both  protocols.  The  numbers 
of  current  group  members,  merging  members,  merging  groups,  and  leaving  members  are  denoted 
as:  n,  m,  k  and  p,  respectively. 

The  height  of  the  key  tree  constructed  by  the  TGDH  protocol  is  h.  The  overhead  of  the  TGDH 
protocol  depends  on  the  tree  height,  the  balancedness  of  the  key  tree,  the  location  of  the  joining 
tree,  and  the  leaving  nodes.  In  our  analysis,  we  assume  the  worst-case  configuration  and  list  the 
worst-case  cost  for  TGDH. 

The  number  of  modular  exponentiations  for  a  leave  event  in  STR  depends  on  the  location  of 
the  deepest  leaving  node.  We  thus  compute  the  average  cost,  i.e.,  the  case  when  the  |  -th  node 
leaves  the  group.  For  all  other  events  and  protocols,  exact  costs  are  shown. 
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TABLE  I 


Communication  and  Computation  Costs 


Communication 

Computation 

Round 

Message 

Exponentiation 

TGDH 

Join 

2 

3 

3ft -3 

Leave 

1 

1 

3ft -3 

merge 

[log2  k]  +  1 

2k 

3ft -3 

Partition 

mtnfpogaPl  +  l,ft) 

min(2p,  [f]) 

3ft -3 

STR 

Join 

2 

3 

4 

Leave 

1 

1 

f+2 

Merge 

2 

k  +  1 

3m  +  1 

Partition 

1 

1 

^  +  2 

In  the  current  implementations  of  TGDH  and  STR,  all  group  members  recompute  bkeys  that 
have  already  been  computed  by  the  sponsors.  This  provides  a  weak  form  of  key  confirmation, 
since  a  user  who  receives  a  token  from  another  member  can  check  whether  his  bkey  computation 
is  correct.  This  computation,  however,  can  be  removed  for  better  efficiency,  and  we  consider  this 
optimization  when  counting  the  number  of  exponentiations. 

It  is  clear  that  computation  cost  of  STR  is  fairly  high:  0(m)  for  merge  and  0(n)  for  subtractive 
events.  However,  as  mentioned  in  Section  I,  this  high  cost  becomes  negligible  when  STR  is  used 
in  a  high-delay  wide-area  network.  Evidence  to  support  this  claim  can  be  found  in  [2]. 

B.  Lower  Bound  for  Dynamic  Group  Key  Agreement 

In  [5],  Becker  and  Wille  proved  the  lower  bound  for  communication  complexity  of  static 
group  key  agreement,  i.e.  how  n  group  members  share  a  common  group  key  without  consid¬ 
ering  subsequent  additive/subtractive  events.  When  assuming  bradcast  channel,  they  prove  the 
following  theorem: 

Theorem  1  (Becker  and  Wille):  Let  V  be  a  static  group  key  agreement  protocol  for  n  parties 
allowing  broadcasts. 

1)  For  the  number  of  messages  m(P)  required  by  V,  it  holds  that  m('P)  >  n. 

2)  For  the  number  of  rounds  r('P)  required  by  V,  it  holds  that  r('P)  >  1. 

However,  it  is  commonly  assumed  that  at  least  2  rounds  are  required  for  group  key  agreement. 
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Assumption  1:  Let  V  be  a  static  group  key  agreement  protocol  for  n  parties  allowing  broad¬ 
casts  when  n  >  3.  Using  the  same  notation  above,  r('P)  >  2. 

Indeed,  finding  an  one-round  group  key  agreement  is  a  well-known  open  problem  [8].  When 
group  size  is  3,  there  exists  one  round  group  key  agreement  based  on  Bilinear  map  using  Weil 
paring  [17].  This  work  shows  that  we  can  design  one  round  group  key  agreement  protocol  for 
any  n,  if  multilinear  map  exists.  Unfortunately,  existence  of  multilinear  map  is  unknown  [8]. 

Based  on  Theorem  1  and  Assumption  1,  we  can  easily  find  the  bound  for  communication 
complexity  of  dynamic  group  key  agreement. 

Theorem  2  ( Communication  complexity  of  dynamic  group  key  agreement):  Let  V  be  a  static 
group  key  agreement  protocol  for  n  (n  >  3)  parties  allowing  broadcasts. 

.  For  any  subtractive  events  r(P)  >  1  and  m('P)  >  1,  when  the  number  of  remaining  group 
members  is  greater  than  2. 

.  For  any  additive  events  r(V)  >  2  and  m('P)  >  k,  when  k  groups  are  merging.6 

Proof:  [Sketch]  In  a  contributory  group  key  agreement,  group  key  is  determined  by  partici¬ 
pating  entities  contribution.  Furthermore,  to  provide  key  independence  each  group  key  should  be 
independent  from  the  previous  keys/future  group  keys.  In  other  words,  for  any  additive/subtractive 
events,  at  least  one  member  in  the  group  has  to  change  its  random  secret.  Therefore,  at  least  one 
message  (and  one  round)  is  required  to  let  others  know  about  this  change.  This  provides  rough 
lower  bounds  of  communication  for  both  additive/subtractive  events: 

r{V)  >  1  and  m(P)  >  1.  (1) 

Now  let  us  tighten  the  bound  based  on  each  event.  In  case  of  subtractive  events,  we  are  done 
by  the  rough  bound  described  in  Equation  1. 

So  remainder  of  this  proof  will  focus  on  finding  tighter  lower  bound  for  additive  events.  We 
will  consider  only  merge  of  k  groups,  since  join  is  a  special  case  of  merge  when  one  group  has 
only  one  user.  One  most  important  observation  for  merge  is  that  merge  of  k  groups  can  be  seen 
as  a  static  group  key  agreement  of  k  members.  If  this  is  the  case,  then  we  are  done  since  our 
lower  bounds  for  additive  events  are  same  as  those  for  static  group  key  agreement  provided  in 
Theorem  1  and  Assumption  1. 

6Clearly,  this  also  covers  the  case  of  a  single  member  joining  the  group,  thus  k  is  equal  to  2. 
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Now,  it  remains  to  show  that  merge  of  k  groups  is  equivalent  to  the  static  group  key  agreement 
of  k  members.  Since  there  are  k  groups  merging,  it  is  obvious  that  at  least  k  messages  need  to 
be  exchanged  to  share  each  group  information.  This  is  because  the  group  key  is  a  function  of 
all  group  members’  contribution  and  each  group  information  contains  current  group  members’ 
contribution.  In  fact,  merge  of  k  groups  can  be  seen  as  group  formation  of  k  members  whose 
session  random  is  current  group  key  sk  and  blinded  key  is  gsk  (mod  p)  where  the  blinded  key 
is  never  known  to  other  group  members.  Therefore,  lower  bounds  of  communication  for  addtive 
events  are  equvalent  to  those  of  static  group  key  agreement.  Consequently,  for  any  additive 
events  of  group  key  agreement  (when  k  groups  are  involved)  requires  r{V)  >  2  and  m(V)  >  k. 

■ 

From  the  Theorem  2,  communication  costs  of  STR  is  near  optimal  (it  requires  one  more 
message  than  the  optimal  protocol  does).  However,  it  can  be  easily  modified  to  achieve  optimal 
communication  efficiency:  When  a  merge  even  happens,  a  partition  is  chosen  unambiguously 
(such  as  the  partition  that  has  a  group  member  whose  alphabetical  order  precedes  all  other 
members).  All  sponsors  in  other  partition  send  tree  information  to  the  partition  (A:  —  1  messages). 
Upon  receiving  these  messages,  the  sponsor  in  the  partition  can  compute  all  required  blinded 
keys,  and  it  broadcasts  the  whole  key  tree  containing  only  blinded  keys  (one  more  message). 
Finally,  all  members  can  compute  the  group  key. 

This  protocol  has  optimal  communication  costs:  k  messages  and  2  rounds.  However,  this  has 
an  obvious  drawback:  When  the  group  including  the  sponsor  has  only  one  member,  whole  n  —  1 
blinded  keys  need  to  be  recomputed.  On  the  other  hand,  if  we  can  choose  highly  populated 
partition,  we  can  save  number  of  modular  exponentiation.  Therefore,  in  the  first  round  of  merge, 
sponsor  in  every  partition  sends  their  tree  information  ( k  messages)  and  the  sponsor  in  the  biggest 
group  will  act  as  the  sponsor  to  broadcast  new  set  of  bkeys.  Note  that  number  of  round  is  more 
sensitive  for  the  performance  of  multi-round  multi-party  protocol  than  the  number  of  message 
as  shown  in  [2]. 


VII.  Related  Work 

Group  key  management  protocols  come  in  three  different  flavors:  contributory  key  agreement 
protocols,  centralized,  decentralized  group  key  distribution  scheme,  and  server-based  key  distri¬ 
bution  protocols.  Since  the  focus  of  this  work  is  to  provide  common  key  to  the  dynamic  peer 
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group,  we  only  consider  the  first  two  below. 


A.  Group  Key  Agreement  Protocols 

We  begin  by  first  summarizing  the  early  (and  theoretical)  group  key  agreement  protocols 
which  did  not  consider  dynamic  membership  operations  and  only  supported  group  formation. 

The  earlist  attempt  to  obtain  contributory  group  key  agreement  built  upon  2-party  Diffie- 
Hellman  (DH)  is  due  to  Ingemarsson  et  al.  (called  ING)  for  teleconferencing  [16].  In  the  fist 
round  of  ING,  every  member  M*  generates  its  session  random  Nt  and  computes  aNi.  In  the 
subsequent  rounds  k  to  n—  1,  Mi  computes  Kijk  =  (K^i  m0dn,k-i)Ni  where  Ki  i  is  the  message 
received  from  M,t  i  in  the  previous  round  k  —  1  when  n  is  the  number  of  group  members.  The 
resulting  group  key  is  of  the  form: 


Isn  a 


N1N2N3...Nn 


The  ING  protocol  is  inefficient:  1)  every  member  has  to  start  synchronously,  2)  n  —  1  rounds 
are  required  to  compute  a  group  key,  3)  it  is  hard  to  support  dynamic  membership  operations 
due  to  its  symmetricity  and  4)  n  sequential  modular  exponentiations  are  required. 

Another  group  key  agreement  developed  for  teleconferencing  was  proposed  by  Kim,  et  al.  [18]. 
This  protocol  (called  TGDH,  for  Treee -based  Group  Diffie-Hellman)  is  of  particular  interest  since 
its  group  key  structure  is  similar  to  that  of  STR. 

TGDH  is  well-suited  for  member  leave  operation  since  it  takes  only  one  round  and  log{n ) 
modular  exponentiations.  Member  addition,  however,  is  relatively  costly  since  -  in  order  to 
keep  the  key  tree  balanced  -  the  sponsor  performs  log{n )  exponentiations.  Also,  in  the  event  of 
partition,  as  many  as  login )  rounds  may  be  necessary  to  stabilize  the  key  tree.  This  is  where 
STR  offers  a  clear  advantage. 

Burmester  and  Desmedt  construct  an  efficient  protocol  (called  BD)  which  takes  only  two 
rounds  and  three  modular  exponentiations  per  member  to  generate  a  group  key  [11].  This 
efficiency  allows  all  members  to  re-compute  the  group  key  for  any  membership  change  by 
performing  this  protocol.  However,  according  to  [28],  most  (at  least  half)  of  the  members  need 
to  change  their  session  random  on  every  membership  event.  The  group  key  in  this  protocol  is 
different  from  STR  and  TGDH: 

If  _  nNiN2+N2N3+...+N„Ni 
-tVn  LX 
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A  shortcoming  of  BD  is  the  high  communication  overhead.  It  requires  2 n  broadcast  messages 
and  each  member  needs  to  generate  2  signatures  and  verify  2 n  signatures. 

Becker  and  Wille  analyze  the  minimal  communication  complexity  of  contributory  group  key 
agreement  in  general  [5]  and  propose  two  protocols:  octopus  and  hypercube.  Their  group  key 
has  the  same  structure  as  the  key  in  TGDH.  For  example,  for  eight  users  their  group  key  is: 


Kr,  =  a(“' 


anr2a^3r4^aar5^6aT7rS 


The  Becker/Wille  protocols  handle  join  and  merge  operations  efficiently,  but  the  member  leave 
operation  is  inefficient.  Also,  the  hypercube  protocol  requires  the  group  to  be  of  size  2n  (for 
some  integer  n);  otherwise,  the  efficiency  slips. 

Asokan  et  al.  look  at  the  problem  of  small-group  key  agreement,  where  the  members  do  not 
have  previously  set  up  security  associations  [3].  Their  motivating  example  is  a  meeting  where  the 
participants  want  to  bootstrap  a  secure  communication  group.  They  adapt  password  authenticated 
DH  key  exchange  to  the  group  setting.  Their  setting,  however,  is  different  from  ours,  since  they 
assume  that  all  members  share  a  secret  password,  whereas  we  assume  a  PKI  where  each  member 
can  verify  any  other  members  authenticity  and  authorization  to  join  the  group. 

Tzeng  and  Tzeng  propose  an  authenticated  key  agreement  scheme  that  is  based  on  secure 
multi-party  computation  [29].  This  scheme  also  uses  2  •  N  broadcast  messages.  Although  the 
cryptographic  mechanisms  are  quite  elegant,  a  shortcoming  is  that  the  resulting  group  key  does 
not  provide  perfect  forward  secrecy  (PFS).  If  a  long-term  secret  key  is  broken  and/or  published, 
all  previous  and  future  group  keys  (where  that  key  was  used)  are  also  revealed. 

Steiner  et  al.  first  address  dynamic  membership  issues  [4], [28]  in  group  key  agreement  and 
propose  a  family  of  Group  Diffie  Heilman  (GDH)  protocols  based  on  straight-forward  extensions 
of  the  two-party  Diffie-Hellman.  GDH  provides  contributory  authenticated  key  agreement,  key 
independence,  key  integrity,  resistance  to  known  key  attacks,  and  perfect  forward  secrecy.  Their 
protocol  suite  is  fairly  efficient  in  leave  and  partition  operation,  but  the  merge  protocol  requires 
as  many  rounds  as  the  number  of  new  members  to  complete  key  agreement. 

Perrig  extends  the  work  of  one-way  function  trees  (OFT,  originally  introduced  by  McGrew 
and  Sherman  [20])  to  design  a  tree-based  key  agreement  scheme  for  peer  groups  [23].  However, 
this  work  does  not  consider  group  merges  and  partitions. 
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B.  Decentralized  Group  Key  Distribution  Protocols 

Decentralized  group  key  distribution  protocols  can  be  preferred  to  contributory  group  key 
agreement  protocols,  since  they  rely  on  inexpensive  symmetric  key  encryption  technique.  How¬ 
ever,  all  group  key  distribution  schemes  assume  secure  channel  that  is,  in  practice,  implemented 
by  public  key  cryptosystem  (e.g.  Diffie-Hellman).  Furthermore,  they  require  the  leader  to  es¬ 
tablish  multiple  secure  two-party  channels  between  itself  and  other  group  members  in  order  to 
securely  distribute  the  new  key.  Maintaining  such  channels  in  dynamic  groups  can  be  expensive 
since  setting  up  each  channel  involves  a  separate  two-party  key  agreement.  When  a  group  is 
dynamic,  amortized  number  of  secure  channel  becomes  Oiyr  ).  Another  disadvantage  is  the 
reliance  on  a  single  entity  to  generate  good  (i.e.,  cryptographically  strong,  random)  keys. 

First  decentralized  group  key  distribution  scheme  is  due  to  Waldvogel  et  al.  [12].  They  propose 
efficient  protocols  for  small-group  key  agreement  and  large-group  key  distribution.  Unfortunately, 
their  scheme  for  autonomous  small  group  key  agreement  is  not  collusion  resistant. 

Dondeti  et  al.  modified  OFT  (One-way  Function  Tree)  [20]  to  provide  dynamic  server  elec¬ 
tion  [14].  This  protocol  has  same  key  tree  structure  and  uses  similar  notations  (e.g.  keys,  blinded 
keys).  Other  than  expensive  maintainence  of  secure  channels  described  above,  this  protocol  has 
expensive  communication  cost:  Even  for  single  join  and  leave,  this  protocol  can  take  0(h) 
rounds  to  complete,  when  h  is  the  height  of  the  key  tree.  The  authors  do  not  consider  merge 
and  partition  event,  and  also  implementation.  One  advantage  different  from  others  is  that  their 
group  key  does  not  depend  on  a  single  entity. 

Rodeh  et  al.  [24]  propose  a  decentralized  group  key  distribution  protocol  extended  from  LKH 
protocol  [30].  It  tolerates  network  partitions  and  other  network  events.  Even  though  this  approach 
cannot  help  incurring  basic  disadvantages  discussed  above,  authors  reduce  the  communication 
and  computational  cost.  In  addition,  authors  use  AVL  tree  to  provide  provable  and  efficient  tree 
height. 


VIII.  Conclusion 

In  this  paper  we  described  a  provably  secure  contributory  group  key  agreement  protocol 
(STR)  optimized  for  communication.  STR  supports  all  dynamic  peer  group  operations:  join, 
leave,  merge,  and  partition.  Furthermore,  it  easily  handles  cascaded  (nested)  membership  events 
and  network  failures. 
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Assuming  that  Moore’s  Law  continues  to  hold,  the  computational  cost  of  cryptographic 
operations  will  gradually  decrease.  Eventually,  communication  latency,  which  has  a  lower-bound 
dictated  by  the  speed  of  light,  will  dominate  the  cost  of  computation  in  determining  the  running 
time  of  group  key  agreement  protocols.  STR  is  already  the  most  efficient  group  key  agreement 
protocol  over  high-delay  wide-area  networks;  it  will  become  more  advantageous  as  processor 
speeds  increase. 
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Appendix 

Decisional  Imbalanced  Group  Diffie-Hellman  Problem 

A.  2-party  Decision  Diffie-Hellman  Problem 

Our  proofs  require  a  specific  group  setting.  In  this  section,  we  introduce  a  specific  group  ( G ) 
and  define  the  2-party  Decision  Diffie-Hellman  (DDH)  problem  on  G. 

Let  A;  be  a  security  parameter  and  n  be  an  integer.  All  algorithm  run  in  probabilistic  polynomial 
time  with  k  and  n  as  inputs. 

For  concreteness,  we  consider  a  specific  group  G: 

On  input  k,  algorithm  gen  chooses  at  random  a  pair  (q,  a)  where  q  is  a  2/c-bit  value7,  and 
q  and  p  =  2q  +  1  are  both  prime.  Before  introducing  G,  we  first  consider  a  group  G,  which 
is  a  group  of  squares  modulo  prime  p.  This  group  can  be  described  more  precisely  as  follows: 
Consider  an  element  a  which  is  a  square  of  a  primitive  element  a  of  multiplicative  group  Z*,  i.e. 
a  =  a2.  (Without  loss  of  generality,  we  may  assume  a  <  q.)  Then  group  G  can  be  represented 
as 

G  =  {a*  mod  p  \  i  G  [1,  §]}  . 

An  attractive  variation  of  this  group  is  to  represent  the  elements  by  the  integers  from  0  to  q  —  1. 

7In  order  to  achieve  the  security  level  2~k,  the  group  size  should  be  at  least  22k  [25], 
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The  group  operation  is  slightly  different:  Let  a  function  /  be  defined  as 

r 


/fa) 


1 


if  x  <  q 


—  x  if  q  <  x  <  p. 

Using  this  /  function,  we  can  introduce  the  group  G  as 


G  =  {/(cd  modp)  |  i  G  ZqJ  . 


Group  operation  on  group  G  is  defined  as  a  ■  b  =  f(a  ■  b  (mod  p)),  where  a,b  G  G. 

Proposition  3:  Let  g{x)  =  ax  mod  p.  Then  the  function  /  o  g  is  a  bijection  from  7Lq  to  7Lq. 
Proof:  To  see  this,  suppose  fog(x)  =  fog(y).  Then  this  can  be  written  and  f(X)  =  f(Y ) 
where  integer  X  =  ax  mod  p  and  Y  =  ay  mod  p.  Now  we  can  have  four  different  cases: 

•  X  <  q,Y  <  q :  In  this  case,  f(X)  =  X  and  f(Y)  =  Y  and  hence  X  =  Y.  Now  we  have  an 
equation  a 2(x~y'>  =  1  mod  p.  Since  a  is  a  generator  for  Z*,  its  order  (i.e.  2 q)  has  to  divide 
2 (x  —  y).  This  implies  that  q  has  to  divide  x  —  y  and  finally  x  =  y  since  0  <  x1  y  <  q. 

•  X  >  q,Y  >  q:  In  this  case,  f(X)  =  p  —  X  and  f(Y )  =  p  —  Y  and  hence  X  =  Y.  Rests 
are  the  same  as  above. 

•  X  <  q,  Y  >  q:  This  case  is  impossible,  since  ^  j  =  1  and  j  =  —  1  since  p  =  3  mod  4 
and  X  =  p  —  Y. 

•  X  >  q,Y  <  q\  This  is  also  impossible  by  similar  reasoning. 

Therefore,  /  o  g  is  an  injection.  It  is  also  a  surjection,  since  the  sizes  of  domain  and  co-domain 
are  the  same.  ■ 

Proposition  4:  When  a  distribution  r  is  uniform  and  random  in  G,  f  o  g(r )  is  still  uniform 
and  random  in  G,  since  /  o  g  is  bijective. 

Groups  of  this  type  are  also  considered  by  Chaum  [13].  It  is  generally  assumed  that  DDH 
is  intractable  in  these  groups  [7].  More  concretely,  the  2-party  Decision  Diffie-Hellman  as¬ 
sumption  on  group  G  is  that  for  all  polynomial  time  attackers  A,  for  all  polynomials  Q(k) 
3 k0  V/;:  >  k0,  for  X0  :=  NiN2  and  X-±  :=  N:i  with  Aq,  N2,  N3  Gr  G  uniformly  chosen,  and  for 
a  random  bit  b,  the  following  equation  holds: 

\Prob[A(lk ;  G;  a;  aNl ;  a*2;  aXb )  =  6]  —  1  /2 1  <  1/Q(k) 
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B.  Decisional  Imbalanced  Tree  Group  Diffie-Hellman  Problem 

We  start  with  the  easier  problem  where  a  key  tree  is  completely  imbalanced.  Fig.  11  shows 
the  structure  and  the  notation  for  the  imbalanced  tree. 


BKj/BRj 


K,/R| 


Fig.  11.  Notations  for  Imbalanced  Tree 


For  ( q ,  a)  gen(k),  n  G  N  and  X  =  (Ri,  R2, ... ,  Rn)  for  Ri  e  G  and  an  imbalanced  key 

tree  IT  with  n  leaf  nodes  which  correspond  to  R, .  we  define  the  following  random  variables: 

•  K, :  z-th  level  key 

.  BK,:  z-th  level  blinded  key,  i.e.  aK*  mod  p 

•  Ri'.  z-th  level  session  random  chosen  uniformly  G  where  G  is  the  group  mentioned  in 
the  previous  section.  For  i  =  l,  R,  =  K{. 

•  BRp  z-th  level  blinded  session  random,  i.e.  mod  p.  For  z  =  1,  BRi  =  BKi. 

.  Ki  is  recursively  defined  as  follows: 

Ki  =  aKi~lRi  =  BKtR\  =  BRf1-1 

Ki  and  Ri  are  secret,  and  BK,  and  B R,  are  public.  In  Section  IV,  BK,  and  BRi  s  will  be 
publicly  available,  while  Ki  will  be  known  to  group  members  and  R,  will  be  known  only  to  a 
single  member.  The  root  node  if*  will  be  used  as  a  group  key. 

For  (q,  a)  gen(k),n  6  N  and  X  =  (Ri1  i?2,  •  •  • ,  Rn)  for  Ri  e  G  and  an  imbalanced 
key  tree  IT  with  n  leaf  nodes  which  correspond  to  TV,,  we  can  define  public  and  secret  values 
collectively  as  below: 


36 


view(q,  a,  n,  X.IT ) 


K(q,  a ,  n,  X,  IT) 


{BI\i  |  1  <  i  <  n}  U  {BRi  |  1  <  i  <  n} 


{aKRx,IT)  mo(j  p  \  l  <  i  <  n  —  1}  U  {BRi  |  1  <i  <  n} 


aRln2  aau3^  aa*n-,.M  }  [J  {ftRl  a*n} 


{a 

Kn  —  l  Rn 


a 


Since  (q,  a)  are  obvious  from  the  context,  we  omit  them  in  viewQ  and  K().  Also  for  sim¬ 
plicity,  we  sometimes  use  Kn  instead  of  K(n,  X ,  IT).  The  view(n1  X ,  IT)  represents  all  public 
information,  and  the  root  secret  key  is  K(n,X ,  IT).  Let  the  following  two  random  variables  be 
defined  by  generating  (q.  a)  <—  gen(k)  and  choosing  X  randomly  from  G: 

•  An  :=  (view(n,X,  IT),y)  and 

.  Dn  :=  (view(n,X,IT),Kn) 

The  operator  “f denotes  polynomial  indistinguishability  as  in  [28]. 

Proposition  5:  Let  K  and  R  be  /-bit  strings  such  that  R  is  a  random  and  K  is  a  Diffie- 
Hellman  key.  We  say  that  K  and  R  are  polynomially  indistinguishable  if,  for  all  polynomial 
time  distinguishers,  A,  the  probability  of  distinguishing  K  and  R  is  smaller  than  ( {  +  q^j),  for 
all  polynomial  Q(l). 

The  following  is  a  main  lemma  (induction  argument)  for  DITGDH  problem. 

Lemma  1:  If  DDH  assumption  holds  and  Ari  [  ~puiy  H„  i •  then  An  « poiy  Dn. 

Proof:  Assume  that  there  exists  a  polynomial  algorithm  that  can  distinguish  between  An 
and  Dn.  We  will  show  that  this  algorithm  can  be  used  to  distinguish  ,4n  j  and  Dn  i  or  solve 
the  2-party  DDH  problem. 

Consider  the  following  equations  when  X\  =  (i?i,  R2l . . . ,  Rn-i)  and  IT\  is  a  subtree  rooted 
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at  the  left  child  of  the  root  node: 

An  :=  ( view(n,X,IT),y ) 

=  ( view(n  —  l,Xi,  ITi),  BKn_ i,  BRn ,  y) 

=  ( view(n  —  1,  X1:  ITi),  aK^n~1,Xl\  aRn,  y) 

Bn  :=  (view(n  —  1,  Xi,  ITi),ar ,aRn ,y) 

Cn  :=  (view(n  —  l,Xi,ITi),ar,aRn,arRn) 

Dn  :=  (view(n,X,IT),I<(n,X,IT)) 

=  ( view(n  —  l,Xi,  ITi),  BKn _i,  -Bfira,  a^" 

=  {view{n  -  1,XU  /Ti), 

Since  we  can  distinguish  and  in  polynomial  time,  we  can  distinguish  at  least  one  of 
(An  and  Bn)  or  (Bn  and  Cn)  or  (Cn  and  Dn). 

•  An  and  Bn :  Suppose  one  can  distinguish  An  and  Bn  in  polynomial  time.  We  will  show  that 
this  distinguisher  AaBu  can  be  used  to  solve  DITGDH  problem  with  height  n—  1.  Suppose 
We  want  to  decide  whether  P'n_i  —  ( view(n  —  1  ,X',IT'),r’)  is  an  instance  of  DITGDH 
problem  or  r'  is  a  random  number.  To  solve  this  problem,  we  generate  a  random  number 
r"  and  compute  ar" .  Using  P’n  L  and  (r” ,  oT")  pair,  we  can  generate  a  distribution 

Pn  =  ( view(n  —  1,  X1,  IT1),  ar  ,ar  ,  y) 

where  y  G.  Now  we  put  Pn  as  an  input  of  Aabu  •  If  Pn  is  an  instance  of  An  ( Bn ),  then 
P’n  |  is  an  instance  of  L)v  t  (Av  p  by  Proposition  4,  respectively. 

•  Bn  and  Cn:  Suppose  we  can  distinguish  Bn  and  Cn  in  polynomial  time.  We  will  show 
that  this  distinguisher  A bcu  can  be  used  to  solve  the  2-party  DDH  problem  in  group  G. 
Note  that  ar  is  an  independent  variable  from  view(n  —  1,  X\,  Ti).  Suppose  we  want  to  test 
whether  (cU,  ab,  ac)  is  a  DDH  triple  or  not.  To  solve  this  problem,  we  generate  a  key  tree 
T'  of  height  n  —  1  with  distributions  X' .  Now  we  generate  a  new  distribution: 

Pn  —  ( view(n  —  1,  Xl,  Ti),  aa,  ab,  ac). 

If  Pn  is  an  instance  of  B„  (Cn),  then  («“.  ab,  ac )  is  a  valid  (invalid)  DDH  triple,  respectively. 
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•  Cn  and  Dn:  Suppose  one  can  distinguish  Cn  and  Dn  in  polynomial  time.  We  will  show  that 
this  distinguisher  Acdh  can  be  used  to  solve  DITGDH  problem  with  height  n—  1.  Suppose 
We  want  to  decide  whether  P„_i  =  ( view(n  —  1,  X',  IT'),  r')  is  an  instance  of  DITGDH 
problem  or  r'  is  a  random  number.  To  solve  this  problem,  we  generate  a  random  number 
r"  and  compute  ar" .  Using  P'n  1  and  (r",o;r',,)  pair,  we  generate  a  distribution: 

Pn  =  ( view(n —  1  ,X',IT')^ar\ar'\ar'r"). 

Note  that  we  can  compute  ar'r"  since  we  know  ar'  and  r" .  Now  we  put  Pn  as  an  input 
of  Acd„ •  If  Pn  is  an  instance  of  Cn  ( Dn ),  then  P^_1  is  an  instance  of  Dn_ i  (An_i)  by 
Proposition  4. 

■ 

Lemma  2:  If  the  DDH  assumption  holds,  then  A3  ~poiy  D3. 

The  proof  is  similar  to  the  above.  The  only  difference  is  that  we  can  break  the  2-party  DDH 
assumption  using  Aab3  or  Acd3- 

Using  induction  and  Lemmas  1  and  2,  the  following  theorem  can  be  easily  proved. 

Theorem  3  (DITGDH  problem):  If  the  2-party  DDH  problem  is  hard,  then  DITGDH  is  also 
hard. 
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